In the News (Tue 12 Dec 17)

Computersecurity is the effort to create a securecomputing platform, designed so that agents (users or programs) cannot perform actions that they are not allowed to perform, but can perform the actions that they are allowed to.

A securecryptoprocessor is a dedicated computer for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance.

The purpose of a securecryptoprocessor is to act as the keystone of a security sub-system, eliminating the need to protect the rest of the sub-system with physical security measures.

A securecryptoprocessor is a dedicated computer for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance.

The purpose of a securecryptoprocessor is to act as the keystone of a security sub-system, eliminating the need to protect the rest of the sub-system with physical security measures.

Fritz is a securecryptoprocessor that is under development and brings trusted computing to ordinary PCs by enabling a secure environment.

Associated fields are steganography — the study of hiding the very existence of a message, and not necessarily the contents of the message itself (for example, microdots, or invisible ink) — and traffic analysis, which is the analysis of patterns of communication in order to learn secret information.

Securecryptoprocessors can be used to leverage physical security techniques into protecting the security of the computer system.

Automated theorem proving and other verification tools can enable critical algorithms and code used in secure systems to be mathematically proven to meet their specifications.

The secure attention key is a special key combination to be entered before a login screen is presented, for example Control-Alt-Delete.

Only the kernel, which is the part of the operating system that interacts directly with the hardware, can detect whether the secure attention key has been pressed, so it cannot be intercepted by third party programs.

Under Palladium, the Microsoft operating system, working with a securecryptoprocessor embedded in the PC, will create a new class of applications which have special powers and protections and which run side by side with ordinary code.

The stated aim is to fix the problems of current computer insecurity, and to create new kinds of distributed applications, where each component can know and trust the operation of other parts of the system, even when they are running on remote computers.

Simon Conant, a 'security expert' (quoted verbatim from the source article, the UK Metro) working for Microsoft said 'We need to go back to the drawing board with a brand new architecture for the PC'.

The security of the machine relies mostly on the integrity of the securecryptoprocessor: the host software often runs on a commodity operating system.

Modern ATM physical security, like other modern money-handling security, concentrates on denying the use of the money inside the machine to a thief, by means of techniques such as dye markers and smoke canisters.

It was named after former United States Senator Ernest "Fritz" Hollings, who sponsored several pieces of legislation aimed at protecting the interests of intellectual property (ie, copyright and software license) holders in the digital age, including one (the CBDTPA) that might mandate the inclusion of such a chip in every computer.

The Fritz-chip is meant to make it much harder to illegally copy copyrighted content and, perhaps, to use unlicensed software.

The security of the system fails if one, or both, of them is poorly implemented, is poorly designed, or is successfully attacked.

The "Next-Generation SecureComputing Base" (NGSCB), formerly known as Palladium (Pd), is Microsoft's new trusted computing architecture.

This is similar to the problems caused by files using different and mutually incompatible formats, but more so; instead of simply needing to reverse-engineer the dominant file format, a potential new competitor would need to find a way to decrypt the files, which would be much more difficult and possibly even illegal.

Those who attempt to circumvent the security restrictions of NGSCB could be sued under the Digital Millennium Copyright Act, advise challengers.

The Next-Generation SecureComputing Base (NGSCB), formerly known as Palladium, is a software architecture designed by Microsoft which will implement the controversial trusted computing concept on future versions of the Microsoft Windows Operating System.

Microsoft's stated aim for NGSCB is to increase the security and privacy of computer users[1], but critics assert that the technology will not only fail to solve the majority of contemporary IT security problems, but also result in an increase in vendor lock-in and a resulting reduction in competition in the IT marketplace.

Although the TPM can only store a single cryptographic key securely, secure storage of arbitrary data is by extension possible by encrypting the data such that it may only be decrypted using the securely stored key.

The advantage to building your solution on time-tested password protocols is that they are more trustworthy and well-studied than a more ad-hoc proposal, and it is less likely that you will accidentally introduce new vulnerabilities that make it weaker than a straight password-only protocol.

On the other hand, it seems to be true that it is often more difficult to obtain (and use) more 'real' entropy than more 'computational' entropy, because in the first case one has to use a hardware source and there is the problem of communicating the (more voluminous) bit sequences to the partner.

Of course, that does *not* mean it isn't a very good idea to have a separate computer, that users don't run their own programs on, to handle the encryption and user authentication, it just means that a halfway decent solution that really does eliminate the dictionary attack is possible without extra hardware.

Security Instrument Business and Finance - Security Instrument Discounts Security Instrument and Business and Finance Asian Security Order: Instrumental and Normative Features by Eileen Spinelli, ISBN 0804746281 These do they contain the ordinary certainty environmental on the Korean peninsula, through the Taiwan Does he narrow, and over Kashmir, the do I...

Under Palladium, the Microsoft operating system, working with a securecryptoprocessor embedded in the PC, will create a new class of applications which have special powers and protections and...

Thus, the new regime promoted modernization along with the creation of a strong security apparatus to prevent coups within the power structure and insurrections apart from it.

In modern ATMs, customers authenticate themselves by using a plastic card with a magnetic stripe, which encodes the customer's account number, and by entering a numeric passcode[?] called a PIN (Personal Identification Number), which may be changed using the machine.

Modern ATM physical security concentrates on denying the use of the money inside the machine to a thief, by means of techniques such as dye markers and smoke canisters.

In store ATMs typically connect directly to their ATM Transaction Processor[?] via a modem over a dedicated telephone line, although the move towards Internet connections is under way.

I thought in more pedestrian directions, and noted how a specific secure box, which acted like a *good password typer* at the host end could be used.

Doing encryption inside a secure 'cryptoprocessor' at one or both ends could also solve the problem because all that's needed is secure storage of one private key for each user.

I was trying to say that the difference in the cost (of a given amount of security) between asymmetric and symmetric encryption diminished in percentage terms as the key length increases, and that a point would come where there was no conceivable point in increasing key length further (i.e.

Business Software Review:Category Top/Computers/Hardware/Systems/Smartcards(Site not responding. Last check: 2007-10-19)

A security token (or sometimes a hardware token) is a small physical device that an authorized user of computer services

A number of key vulnerabilities exist even with digital encryption: The same code is used for millions of subscribed receivers to decrypt the signal, yet it must remain completely secret.

Whilst the vulnerability they exploited was a flaw in the software loaded on the 4758, and not the architecture of the 4758 itself, their attack serves as a reminder that a security system is only as secure as its weakest link: the strong link of the 4758

www.business-software-review.org /Category53293.html (142 words)

Computer Base(Site not responding. Last check: 2007-10-19)

The ability of a trusted computing base to enforce correctly a unified security policy depends on the correctness of the mechanisms within the trusted computing base, the protection of those mechanisms to ensure their correctness, and the correct input of parameters related to the security policy.

The problem with CBL is that it is not as good as having a real human teacher because it can only answer questions which have been programmed into it.

Opponents of this idea regard this is an ironic development, as Microsoft has a famously poor record in software security, with weaknesses in the security stance of their existing software being one of the prime causes of computer insecurity.

Tamper resistant chips may be designed to zeroise their sensitive data (especially cryptographic keys) if they detect penetration of their security encapsulation or out-of-specification environmental parameters.

If implemented, trusted computing would make software tampering of protected programs at least as difficult as hardware tampering, as the user would have to hack the trust chip to give false certifications in order to bypass remote attestation and sealed storage.

Note, however, that this is already the case as many software companies use proprietary file formats that are difficult or impossible to read in other applications.

Advocates of alternatives to Outlook have suggested that a mail program which either has no scripting language at all or has a scripting language which is too secure to be exploited is completely immune to the virus.

According to their logic, using a non-Microsoft operating system and/or a mail program with no Outlook-style flaws is a perfectly adequate defense against mail viruses.